hipaa omnibus task force report/media/files/iron mountain... · hipaa regulations that directly...
TRANSCRIPT
LAW FIRM INFORMATION GOVERNANCE SYMPOSIUM JULY 2014
HIPAA OMNIBUS
TASK FORCE REPORTJULY 2014
1 Background
3 Introduction
4 SectionI:ImportantDatesandGeneralApplication
oftheFinalHIPAAOmnibusRule
4 SectionII:BusinessAssociates
5 SectionIII:EnforcementandPenalties
7 SectionIV:PrivacyRequirements
9 SectionV:SecurityRequirements
10 SectionVI:BreachNotification
1 2 SectionVII:DataProtectionandPrivacyProgram
14 SectionVIII:RecommendedBestPractices
16 References
16 Authorities
18 Appendix:HIPAAOmnibusSecurityRuleComplianceTable
CONTENTS
1
BACKGROUND
TheLawFirmInformationGovernanceSymposiumwasestablishedin2012asaplatformforthelegalindustry
tocreatearoadmapforinformationgovernance(IG)intheuniquesettingoflawfirms.TheSymposiumoffers
definitions,processes,andbestpracticesforbuildinglawfirmIG.FirmscanleveragetheSymposiumcontentto
tailoranIGprogramthatworksfortheircultureandgoals.In2013,theSymposiumSteeringCommitteecreated
fourtaskforcestoworkonspecific,currentlawfirmIGtopics.ThisHIPAAOmnibusTaskForcereportsummarizes
andanalyzeskeycomponentsoftheHIPAAOmnibusRulethataffectlawfirms,andexploresindustrybest
practicesforachievingHIPAAcomplianceinalawfirmenvironment.
BRIANNE AUL
FirmwideRecordsSeniorManager
ReedSmith,LLP
BRYN BOWEN, CRM
Principal
GreenheartConsultingPartnersLLC
LEIGH ISAACS, CIP
DirectorofRecords
andInformationGovernance
Orrick,HerringtonandSutcliffeLLP
RUDY MOLIERE
DirectorofRecordsandInformation
Morgan,Lewis&BockiusLLP
CHARLENE WACENSKE
SeniorManagerFirmWideRecords
Morrison&FoersterLLP
CAROLYN CASEY, ESQ.
SeniorManager,LegalVertical
IronMountain
SYMPOSIUM STEERING COMMITTEE
2
BRIAN B. MCCAULEY, CRM, IGP
TASK FORCE LEADER
DirectorofInformationGovernance
McDermottWill&EmeryLLP
SCOTT CHRISTENSEN
DirectorofTechnologyandInformation
Security
EdwardsWildmanPalmerLLP
KATHRYN HUME
SeniorRiskManagementConsultant
Intapp
GRANT W. JAMES
Sr.ManagerKnowledgeManagement
TroutmanSandersLLP
SHARON KECK
DirectorofRiskandRecords
PolsinelliPC
ANN KILLILEA
Counsel
McDermottWill&EmeryLLP
FARON LYONS
AccountManager
AlfrescoSoftware,Inc.
RUDY MOLIERE
FirmDirector,Records&Information
Morgan,Lewis&BockiusLLP
LawFirmInformationGovernance
SymposiumSteeringCommittee
CHARLENE WACENSKE
SeniorManagerFirmwideRecords
Morrison&FoersterLLP
LawFirmInformationGovernance
SymposiumSteeringCommittee
2013/2014 HIPAA TASK FORCE
ANGELA AKPAPUNAM
WilmerCutlerPickeringHale
andDorrLLP
KAREN ALLEN
MorganLewis&BockiusLLP
BETH CHIAIESE
Foley&LardnerLLP
RICHARD CLARK
HaynesandBoone,LLP
ALLEN GEBHARDT
IndependentContractor
CHARLES KENNEDY
JonesDay
DEB RIFENBARK
StinsonLeonardStreetLLP
JENNIFER STAKES
LittlerMendelsonPC
BRETT WISE
OgletreeDeakins
SYMPOSIUM PARTICIPANTS
ThefollowingSymposiumParticipants,alongwith26taskforceauthors,offeredpeerreview
commentsonthedrafttaskforcereportatthe2014Symposium.
INTRODUCTION
TheU.S.2013HealthInformationPortabilityandAccountabilityAct(HIPAA1)OmnibusRule,2whichwentintoeffect
onMarch26,2013andmandatedcompliancebySeptember23,2013,finalizespreviousmultiplerevisionstothe
HIPAAregulationsthatdirectlyimpactlawfirms.Themostsignificantchangeisthevastlyexpandedscopeof
HIPAAenforcement.Previously,HIPAAregulationsappliedonlyto“coveredentities”—organizationslikehealthcare
providersandinsurers—anddidnotextendstatutoryliabilityforcompliancetotheir“businessassociates”,such
astheirlawfirms.In2009,theHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Actlaid
thegroundworkformultipleprovisionsaffectingbusinessassociatesthatarenowfullyenforced.Underthenew
OmnibusRule,bothbusinessassociatesandsubcontractorsofcoveredentitiesaredirectlyliableforviolations
oftheSecurityRuleandselectprovisionsofthePrivacyRule,includingtherequirementthattheuseanddisclosure
ofProtectedHealthInformation(PHI)belimitedtothe“minimumnecessary”foranintendedpurpose.
Especiallywhenconsideredalongsideemergingstatedataprivacyandsecuritylawsandtransitiverequirements
imposedonfirmsfromclientsinregulatedindustrieslikefinancialservices,theOmnibusRuleissignificantly
impactingthewaylawfirmsdevelopandimplementaculturefocusedonregulatorycompliance,clientdataprivacy,
andclientconfidentiality.ToachievecompliancewiththenewHIPAArules,manyfirmshavelittlechoicebutto
enhancetheirconfidentialitycontrolsandtoadoptmorestringentsecuritymeasurestopreventunauthorized
disclosureofanyinformationprotectedunderHIPAA’srules.
ThefollowingreportsummarizesandanalyzeskeycomponentsoftheHIPAAOmnibusRulesthataffectlawfirms
asHIPAAbusinessassociates,i.e.,intheirroleascustodiansofHIPAAprotectedhealthinformationonbehalf
oftheirclients.ThereportdoesnotprovideanexhaustiveoverviewoftheHIPAArulesastheyaffectcovered
entities,butfocusesmorenarrowlyonthoserequirementsofcoreconcernforlawfirms.Itshouldbenotedthat
lawfirmssponsoringgrouphealthplansfortheiremployeesmayqualifyasHIPAAcoveredentities,assuchfirms
shouldconsulttherulesinthefullapplicationtocoveredentities.
AfterpresentingtheelementsoftheHIPAAOmnibusRuleforwhichlawfirmbusinessassociatesareliable,the
reportoutlinestheframeworkforalawfirmenterprisedataprotectionprogramcomprehensiveenoughtosatisfy
themultipledataprivacyandsecurityrequirementsimposedbyHIPAA.Thereportconcludesbyrecommending
asetofindustrybestpracticesforachievingHIPAAcomplianceinalawfirmenvironment.
3
4
SECTION I: IMPORTANT DATES AND GENERAL APPLICATION OF THE FINAL
HIPAA OMNIBUS RULE
» January 25, 2013: TheFederalRegisterpublishedthefinalHIPAAOmnibusRule.
» March 26, 2013: HIPAAOmnibusRuleofficiallywentintoeffect.
» September 23, 2013: Compliancedeadlineforvirtuallyeveryprovisionofthenewrules,withtheexception
ofagraceperiodforupdatestoexistingbusinessassociateagreements.
» September 22, 2014: Finaldeadlineforupdatestobusinessassociateagreementstoaccommodatethe
changestotheHIPAAsecurity,privacy,andbreachnotificationrules.
SECTION II: BUSINESS ASSOCIATES
LAW FIRMS AS BUSINESS ASSOCIATES AND SUBCONTRACTORS
ThevastmajorityoflawfirmsareliableforcompliancewiththeHIPAAOmnibusRulebecausetheycanbeclassified
asHIPAAbusinessassociateswithrespecttoclientsthatqualifyascoveredentities,orwithrespecttothird-party
organizationsthatprocessHIPAA-protectedinformationonbehalfofacoveredentity.Previously,lawfirmswere
onlyclassifiedasbusinessassociatesliableforcompliancewithHIPAA/HITECHiftheyhadacontractinplacewith
acoveredentitydefiningthemassuchandstipulatingconditionsforhandlingPHI.PursuanttothenewOmnibus
Rule,lawfirmsnowqualifyasbusinessassociatesbydefinition,independentofwhethertheyaredefinedassuch
inabusinessassociateagreement.Indeed,thefinalruleexpandsthedefinitionofabusinessassociatetoinclude
allthoseentitiesthatcreate,receive,maintain,ortransmitPHIonbehalfofacoveredentity.Still,acorecompliance
requirementisthatfirmshaveabusinessassociateagreementinplacewithallcoveredentities.
IfthedefenseofaclientinamedicalmalpracticeclaimrequiresaccesstoPHI,thelawfirmwillqualifyasabusiness
associate,whileinformationprocuredfromaplaintiffviasubpoenadoesnotestablishthestatusofbusiness
associateandneednotbesubjecttothesameconstraints.Informationproducedinlitigationduringdiscoveryalso
doesnotestablishabusinessassociatestatus,sincethisinformationisnotprocuredvoluntarilyonbehalf
ofacoveredentityorganization,butmerelybroughtintoscopepursuanttocourtdiscoveryrulesandpractices.
Thisexpandeddefinitionbringscertainpreviouslyunaffectedorganizationsintothebusinessassociatefold,exposing
themtothesamecompliancerequirementsastheircoveredentitiesclients.OnMarch19,2014,forexample,the
DepartmentofHealthandHumanServices’(HHS)OfficeforCivilRights(OCR)announcedthatitwasitsintention
tosurveyupto1,200coveredentitiesandbusinessassociatestodeterminetheirsuitabilityforamorefulsome
complianceaudit.Auditscanresultinregulatoryfines,correctiveactionplans,andcivilmonetarypenalties.
Additionally,thescopeoftheOmnibusRuleextendsbeyondbusinessassociatestoimpactotherpeopleor
organizationsthatonlyprocessPHIindirectlyandhavenodirectrelationshiptocoveredentities.Suchentities,
referredtoassubcontractors,performfunctionsfororprovideservicestoabusinessassociate,butarenot
amemberofthebusinessassociate’sdirectworkforce.Forexample,ahostedserviceprovideroranexpertwitness
thatcomesintocontactwithPHIwouldqualifyasasubcontractor.Accordingtothenewrules,subcontractorsthat
create,receive,maintain,ortransmitPHIonbehalfofabusinessassociatenowarealsoconsideredasbusiness
associatesandaresubjecttothesamecomplianceobligations.
5
DIRECT LIABILITY
TheOmnibusRuleholdsbusinessassociatesdirectlyliableforthefollowingHIPAAprovisions:
» Impermissible uses and disclosures.
» Failure to provide breach notification to the covered entity.
» Failure to provide access to a copy of electronic PHI to the covered entity, the individual, or the individual’s
designee (whichever is specified in the business associate contract).
» Failure to disclose PHI where required by HHS to investigate or determine the business associate’s
compliance with HIPAA.
» Failure to provide an accounting of disclosures.
» Failure to comply with the applicable requirements of the security rule.
Inaddition,businessassociatesremaincontractuallyliableforotherrequirementsofthebusinessassociate
contract.Ofnote,theOmnibusRulemakesclearthatacoveredentityisnotrequiredtoenterintoacontractor
otherarrangementwithabusinessassociatethatisasubcontractor.Ifthebusinessassociatechoosestohirethe
subcontractordirectly,thenthebusinessassociateisresponsibletoensurethataHIPAA-compliantsubcontractor
agreementisexecuted.Lawfirmsthatactasbusinessassociatesshouldtakestepstoensuretheyareincompliance,
includingdraftingandexecutingbusinessassociateagreementswiththosesubcontractorsthatrisetothelevel.
TotheextentlawfirmsworkwithindependentcontractorconsultantsorotherswhowillhaveaccesstoPHIaspart
oftherepresentation;theyshouldensuretheyadheretotheHIPAAprivacyandsecurityrequirementsaswell.
SECTION III: ENFORCEMENT AND PENALTIES
TheOmnibusRulenotonlyincreasedthescopeofHIPAA/HITECHtorenderbusinessassociatesandtheir
subcontractorsdirectlyliableforcompliancewithHIPAArules,butalsomodifiedthestructureofpenaltiesfor
breachesofcompliance.Pursuanttotherevisions,penaltiescannowrangefrom$100to$50,000perviolation,
withmaximumpenaltiesforviolationsofthesameHIPAAprovisionof$1.5millionperyear[please see Table 1 below].
PenaltyamountsaredeterminedbytheseverityofabreachtoPHIandthelevelofliabilityattributedto
theresponsiblepartyliableforthebreach.Businessassociatesandsubcontractorsaredirectlyliablefortheir
violations.Coveredentities,inaddition,canbepenalizedforviolationsoccurringonthepremiseofaffiliated
businessassociatesandsubcontractors.
COMPLIANCE REVIEWS AND COMPLAINT INVESTIGATIONS
PriortotheOmnibusRule,HHS/OCRcouldchoosetodisregardsecuritybreachesandindividualcomplaints,
unlessthebreachwasdeemedsevereenoughtonecessitatereview.Underthenewrule,whena“preliminary
reviewofthefacts”suggestsaviolationdueto“willfulneglect”bythecoveredentityorbusinessassociate,HHS/
OCRisrequiredtoinvestigatecomplaintsandconductcompliancereviews.However,inlieuofconductingaformal
enforcementactiontoresolveanon-complianceissue,HHS/OCRmayelecttoresolvethematterinformally.
HHS/OCRmaygatheradditionalfactsandrelevantinformationthroughaninquiryprocesswiththecoveredentity
orbusinessassociatetodetermineresponsibilityandcauseafterbeingnotifiedofareportedbreachorafiled
complaint.OCRcompliancereviewsaremandatorywhenviolationsarecausedbywillfulneglectorsomeotherform
ofculpability.
6
LeonRodriguez,OCRDirectoratthetimeofthisreportpreparation(mid2014),mademultiplepublicstatements
warningbusinessassociatestoprepareforanincreaseinthenumberofformalinvestigationsandsettlementorders.
Thefocusonbusinessassociatesstemsfrombreachhistorypatterns—fromthe2009(afterHTECHpassed)to
201257%3ofreportedPHIbreachesoccurredinbusinessassociateenvironments.Lawfirmsshouldmakeprogress
oncomplianceinitiativestoavoidthesteeppenaltiesassociatedwithachargeof“willfulneglect.”
FINES
Collectiveresponsibilityforaviolationmaybeattributabletocoveredentities,businessassociates,and
subcontractors;consequentially,HHS/OCRmaydeterminethatallthreeshouldreceivefines.Finescanbecome
veryexpensive—veryquickly—becausetheyarecalculatedonaper-person-affected,per-day-effectivebasis,with
multiplefactorsfromdifferentpartsoftheoverallHIPAArulesconsideredtodefineandimposepenalties.OCRwill
imposehigherpenaltiestoviolationsoccurringafterFebruary18,2009,andretaintheformerpenaltystructure
forviolationsthatoccurredpriortothatdate.
DETERMINATION OF RESPONSIBILITY OR “STATE OF MIND”
POTENTIAL PENALTY PER VIOLATION
MAXIMUM ANNUAL CAP FOR ALL VIOLATIONS OF IDENTICAL HIPAA PROVISION
VIOLATION WAS NOT KNOWN AND
COULD NOT HAVE BEEN DISCOVERED
WITH REASONABLE DILIGENCE
$100 – $50,000 $1,500,000
REASONABLE CAUSE FOR VIOLATION,
NOT DUE TO WILLFUL NEGLECT
$1,000 – $50,000 $1,500,000
VIOLATION DUE TO WILLFUL NEGLECT,
BUT CORRECTED IN 30 DAYS
$10,000 – $50,000 $1,500,000
VIOLATION DUE TO WILLFUL NEGLECT,
NOT CORRECTED IN 30 DAYS
$50,000 $1,500,000
TABLE 1
Lawfirmsshouldbeawarethereisnosingleofficialmethodfortallyingmonetarypenalties,andtotalpenaltieswill
exceedthoseincurredpriortotheHITECHAct,whenfirmswereonlyliableforbreachofcontract.Whileapossible
penaltyof$1.5milliondollarsperprovisionmayseemlikeasteepfine,thegreatestriskacompliancebreachposes
toafirmisatarnishedreputationthatcouldcompromisefuturebusinessopportunitieswithclients.
7
SECTION IV: PRIVACY REQUIREMENTS
TheHIPAAOmnibusRulecomprisesthreeprinciplesubsectionsthatstipulatewhomayaccessPHI(thePrivacy
Rule),howelectronicPHIshouldbeprotectedtoensurethatonlythosewhoshouldhaveaccessactuallydo
(theSecurityRule),andwhatstepsorganizationsmusttakeintheeventthatsomeoneaccessesPHIwithout
authorization(theBreachNotificationRule).TheOmnibusRuleformalizedmultiplechangestoeachofthese
individualsubsectionstointensifyandclarifytheirscopeandapplication.Thisreportfocusesonthechanges
ofmostrelevanceforlawfirmbusinessassociates.
STRUCTURE OF THE HIPAA PRIVACY RULE
DataprivacyregulationsliketheHIPAAPrivacyRulesetstandardsforusesanddisclosuresofpersonallyidentifiable
information(PII),informationthatcanbeusedonitsownorwithotherinformationtoidentify,contact,orlocate
asinglepersonandpotentiallydoharmtothisindividual.ThePrivacyRuledefinestherightsthatindividualshave
todeterminehowothersusetheirpersonalhealthinformation.
Asisalwaysthecasewithaccesscontrolrightsandrestrictions,thechallengewiththeHIPAAPrivacyRuleisto
striketherightbalancebetweeninformationflowsrequiredforbusinessneedsandtheprotectionofindividual
privacyandconfidentiality.Todefineandachievethisbalance,HHSdefinesrequired,permitted,andauthorized
usesanddisclosuresofPHI,allgovernedbyanaccesscontrolprincipleknownasthe“minimumnecessarystandard.”
Fortunately,asbusinessassociates,lawfirmsareonlyliableforselectportionsofthePrivacyRule;theyshould
focuscomplianceeffortsonselectaspectsoftheoverallrulethataredirectlypertinenttothem.
DEFINITIONS OF USES AND DISCLOSURES
ThePrivacyRuleclassifiesusesanddisclosuresofPHIintothreecategories:required,permitted,andauthorized.
CoveredentitiesandbusinessassociatesarerequiredtoprovideaccesstoPHItothoseindividualswhoarethe
subjectofthedata(ortheirrepresentatives),whentheyrequestaccessoranaccountingofdisclosuresoftheir
PHI,andtoHHSwhenitundertakesacomplianceinvestigationorenforcementaction.
HIPAAaffectedorganizationsarepermittedtoprovideaccesstoPHIwithoutanindividual’sexplicitauthorizationfor
treatment,payment,andhealthcareoperations,aswellasforfacilitydirectoriesorforpublicinterestandbenefit
activities.Ofinteresttolawfirms,organizationsarepermittedtodisclosePHIasrequiredbylaw.Acourtorderor
protectiveordersignedbyajudgerequiresnofurtherassurancesornotificationstotheindividual,whereas
asubpoenaordiscoveryrequestsignedbyanattorneyrequireseithernoticetotheindividual,ordeclarationthat
reasonableeffortshavebeenmadetonotifytheindividualwithoutsuccess.
ThefollowingusesanddisclosuresofPHIrequireexplicitauthorizationbytheindividualwhoisthesubject
ofthedata:
» PHI sent to a life insurer for coverage purposes.
» PHI sent to an employer of results of pre-employment physical or lab test.
» PHI sent to a pharmaceutical firm for marketing purposes.
» PHI used for the marketing of an organization’s appointments, treatments, products or services.
» PHI used for sales involving remuneration in exchange for PHI, not in exchange for the services provided
where PHI is involved (e.g., a health information exchange).
PHIusedforfundraisingandresearchpurposesdonotrequireexplicitauthorization,althoughtheOmnibusRuledid
renderauthorizationstandardsmorestringentthanpreviously.
8
THE MINIMUM NECESSARY STANDARD
Underthenewrule,allusesanddisclosuresofPHIaregovernedbythe“minimumnecessary”standard,which
stipulatesthat“coveredentitiesandbusinessassociatesmustmakereasonableeffortstouse,disclose,andrequest
onlytheminimumamountofPHIneededtoaccomplishintendedpurposeofuse,disclosureorrequest.”Thismarks
asignificantshiftinthewayinwhichlawfirmsmanageclientinformation.Untilrecently,lawfirmshavegenerally
grantedinternallawyersandstaffaccesstomostinformationmaintainedwithinthefirm’ssystems,placingaccess
restrictionsonlyininstanceswhereethicalwallsorconfidentialitypoliciesweremandatedbytheconflictsand
imputationguidelinesofajurisdiction’sethicalrules.TocomplywithHIPAAandaccesscontrolrestrictionsmandated
byclientsinrequestsforproposals,outsidecounselguidelines,oron-siteinformationsecurityaudits,firmsmust
takeamorecontrolledapproach,onlygrantingaccesstohighlysensitiveinformationtothoselawyersandstaff
whorequireaccesstodotheirwork.
Whatqualifiesas“reasonable”efforts,ofcourse,variesfromfirmtofirmasafunctionofbusinessprocesses,costof
implementingaccesscontroltools,thequantityofPHIhousedwithinthefirm,andthedispersionofPHIacrossfirm
practicegroups.Forsomesmallerfirmswithlowerbudgets,a“reasonable”approachmaybesimplytohaveexternal
firewallsandencryption,stillgrantingaccesstomostofthefirmworkforce.Forlargerfirmswithhighertechnology
budgets,a“reasonable”approachwouldrequiresophisticatedmethodstoidentify,secure,andauditaccessforPHI,
restrictingaccesstolocalmatterteamsorpracticegroupswithhighPHIfootprints.
Manyfirmsmustmodifynotonlytheiraccesscontrolstrategies,butalsothemannerinwhichtheyrequestand
intakeinformationfromclients.ThePrivacyRulestipulatesthatbusinessassociatesshould“request”theminimum
amountofPHIrequiredforagivenpurpose.Firmsshould,therefore,considerprovidingengagementlettersto
coveredentityandbusinessassociateclientsthatexplicitlyrequestthattheclientrefrainfromsendinginformation
easilyidentifiedasnotnecessaryfortheengagement.
WHAT ASPECTS OF THE PRIVACY RULE SHOULD LAW FIRMS FOCUS ON?
Whendevelopingaprivacyprogram,firmsshouldfocuson:
» Reviewing all business associate agreements to understand and comply with access control restrictions.
» Limiting uses and disclosures of PHI 1) as required by a business associate agreement, or 2) as permitted or
required under HIPAA.
» Limiting permissible disclosures to the minimum necessary.
» Providing access to a covered entity, to an individual who is the subject of the PHI, or to HHS during an
investigation.
» Ensuring PHI is never sold.
» Establishing business associate agreements with relevant clients, subcontractors, hosted service providers,
expert witnesses, etc.
» Maintaining compliance records and submitting reports to HHS when required to evaluate compliance.
» Providing a breach notification to a covered entity within 60 days of a breach.
» Developing a program to communicate privacy requirements to affected lawyers and staff.
Asbusinessassociates,lawfirmsdonotofficiallyrequireanappointedprivacyofficeroranoticeofprivacypractices,
butmanyfirmsappointalawyerfamiliarwithHIPAA,ariskleader,orageneralcounseltomanageprivacyand
contractualrequirements.
9
SECTION V: SECURITY REQUIREMENTS
ThesecondsubsectionoftheHIPAARules,theSecurityRule,wascreatedtoprotecttheprivacyofindividuals’health
informationwhileallowingcoveredentitiesandtheirbusinessassociatestoadoptnewtechnologies.LikethePrivacy
Rule,itisdesignedtobeflexible,general,andscalable,allowingorganizationstoanalyzeandinterpretthemeansby
whichtheywillsatisfycompliancewiththe40unique“implementationspecifications”therulerequires.Unlikethe
PrivacyRule,itappliesonlytoelectronicPHI,asopposedtoPHIinanymedium(oral,paper,orelectronic).Originally
publishedin2003,therulecontainssomeanachronismsthatmustbeconsideredcautiouslygiventherapid
developmentsinavailabletechnologiesthathaveoccurredsincetheinitialpublication.
STRUCTURE OF THE HIPAA SECURITY RULE
AkintogeneralinformationsecurityframeworksliketheISO27001/27002frameworkortheNIST800-
53framework,theSecurityRuledefinesalistof40requiredandaddressablemeasuresforprotectingthe
confidentiality,integrity,andavailabilityofPHIthatisheldortransmittedbycoveredentitiesandtheirbusiness
associates.Themeasures,or“implementationspecifications,”areclassifiedintothreetypes:
»» Administrative»safeguards»refer to the processes and procedures covered entities and business associates
must address to understand their environment, assess risks to PHI, train workforce on requirements, and
develop disaster recovery and contingency plans.
»» Physical»safeguards refer to the tools and policies covered entities and business associates must have in
place to control security on workstations, facilities, and mobile devices.
»» Technical»safeguards»refer to the software and tools covered entities and business associates must have
in place to ensure the confidentiality, integrity, and availability of electronic PHI and to protect against
reasonably anticipated, impermissible uses or disclosures.
ThedefinitionstheSecurityRuleprovidesfor,confidentiality,integrity,andavailability,complementandsupplement
therequirementsofthePrivacyRule.“Confidentiality”meansthatelectronicPHI(ePHI)isnotavailableordisclosed
tounauthorizedpersons,supportingthePrivacyRule’sprohibitionsagainstimproperusesanddisclosuresofPHI.
“Integrity”meansthatePHIisnotalteredordestroyedinanunauthorizedmanner,toensurethatitisalways
availableandaccurateforindividuals.And“Availability”meansthatePHIisaccessibleandusableondemandby
anauthorizedperson,supportingrequireddisclosuresofthePrivacyRule.
COMPLIANCE WITH THE SECURITY RULE
Asbusinessassociates,lawfirmsareliableforcompliancewiththeentiretyoftheHIPAASecurityRule,which,
aswiththePrivacyRule,oftennecessitatesinvestmentandenergyinpoliciesandproceduresthatexceedtheir
standardinformationsecuritypractices.AswiththePrivacyRule,firmswilladdresstherequirementsoftheSecurity
Ruleinmyriadwaysdependingontheiravailabletechnologies,size,PHIfootprint,andtheoutcomeoftheirrisk
assessment.Variationalsoresultsfromthefactthatsomeimplementationspecificationsarerequiredandothers
areaddressable,meaningthattheorganizationcandocumentreasonsforeithersubstitutingadifferentcompliance
approachorabstainingfromcompliancealltogether.Requiredspecificationsincludeperformingariskanalysisto
identifyvulnerabilities,assigningresponsibilitytoaHIPAAsecurityofficer,oremployingaccesscontroltechnologies
torestrictaccessperuser,etc.Addressablespecificationsincludedevelopingaworkforceclearanceprocedure,
providingsecurityreminderstotheworkforce,orencryptingelectronicinformation.HHSiscurrentlyreassessing
theencryptionrequirementtoensurethatthestandardadequatelyaddressescurrentinformationflowsand
technologies.Foragoodchecklistofthesecurityrulerequirements,seeAppendix.
ToreducetheadministrationburdenofsecuringPHI,manyfirmsdeveloppoliciesrequiringthatlawyersandstaff
maintainandstorePHIonone,andonlyone,centralsystem,oftenthefirm’sdocumentmanagementsystemor
securefileshares.OftenthisrequiresachangemanagementefforttomigratePHIfromscatteredfilesharesto
10
asecureandstructuredenvironmentlikeadocumentmanagementsystem.Firmsfrequentlyidentifyincoming
PHIatnewmatterintakeandeducatelawyersandstafftofileandsecuredataaccordingtofirmpolicylaterinthe
matterlifecycle.ToaddresstherequirementtotrackaccesstoPHIbothinternallyandexternally,lawfirmbusiness
associatesincreasinglyusesoftwaretomonitorfor,andaddresssuspiciousactivity.Finally,firmsshouldconsider
investinginencryptionsoftwaretosafeguardPHItransferredbetweenorganizationsoraccessedviapersonal
mobiledevices.
AchievingcompliancewiththeSecurityRuleisnotaone-timeevent.Firmsshouldreviewandmodifytheirsystems
andprocessesregularlytoadaptprotectionsforePHItonewtechnologiesorotherenvironmentalchanges.Aspart
ofanongoingriskassessment,firmsshouldrevaluateriskstoePHI,trainincominglawyers,associatesandstaff,and
sendfrequentreminderstotheworkforcetokeeppoliciestopofmindandstayabreastofavailabletechnologies
toaddresstechnicalrequirements.Finally,thefirmshouldkeeplogsandrecordsoftheircomplianceefforts,
documentingmodificationsovertime.
SECTION VI: BREACH NOTIFICATION
ThethirdsubsectionoftheHIPAARulesistheBreachNotificationRule.The2009HITECHActcreatedthefirst
nationalrequirementfornotificationofsecuritybreacheswithrespecttoindividualhealthinformation,now
effectiveundertheOmnibusRule.TheBreachNotificationRulerequiresHIPAAcoveredentitiestoprovidecertain
notificationsinresponsetoabreachofunsecuredPHI.Inaddition,businessassociatesofcoveredentitieshave
anobligationtonotifycoveredentitiesintheeventthatanyofthecoveredentities’PHIinthebusinessassociate’s
possessionwassubjecttoabreach.
DEFINITION OF A BREACH
TheFinalRulerevisedthedefinitionofabreachofunsecuredPHItomakeitmoredifficultforacoveredentity,
orabusinessassociate,toavoidreportinganunauthorizeduseordisclosureofPHItoaffectedindividualsand
toOCR.Itreplacedtheharmthresholdstandardwithanew“rebuttablepresumption”standard.TheFinalRule
clarifiesthatanimpermissibleuse,ordisclosureofPHI,ispresumedtobeareportablebreachunlessthecovered
entityorbusinessassociatecandemonstratethatthereisa“lowprobability”thatthePHIhasbeencompromised.
Putanotherway,anunauthorizeduseordisclosurewouldnotqualifyasabreachofunsecuredPHIifthecovered
entityorbusinessassociatehasdemonstrated,pursuanttoabreachinvestigation,thatthereisalowprobability
thatthePHIhasbeencompromised,oriftheunauthorizeduseordisclosuredoesnotinvolveunsecuredPHI.
Typically,thelawfirmasaprovideroflegalservicestoitscoveredentityclientsqualifiesasabusinessassociateif
itreceivestheclient’sPHI.Atleasttwoitemsdictatethelawfirm’sresponsibilitiesifPHIiscompromised:(1)HIPAA
anditsregulations;and(2)theBusinessAssociateAgreementbetweentheclient/coveredentityandthelawfirm.
BothrequirecomplianceinmanagingasecurityincidentaffectingPHI.
UnderHIPAA,thelawfirmmustdeterminewhetherunsecuredPHIisinvolvedintheincident.PHIis“unsecured”ifit
failstoberenderedunusable,unreadable,orindecipherabletounauthorizedpersonsthroughtheuseoftechnology
ormethodologyspecifiedbytheSecretaryofHHS.PHIwillonlybedeemed“secured”ifitisencryptedordestroyed
inaccordancewiththeguidancereferencedbyHHSandpublishedbytheNationalInstituteofStandardsand
Technology(NIST).OneoftheinitialquestionsthatthelawfirmshouldaskinitsinvestigationiswhetherthePHI
isencryptedaccordingtoNISTstandards.Ifyes,thentheevent,basedonHIPAAaloneandnootherconsiderations,
isnotareportablebreachofunsecuredPHI.
Thelawfirmmustthendeterminewhethertheincidentqualifiesasabreach.Abreachmeanstheunauthorized
acquisition,access,useofdisclosureofPHI,whichcompromisesthesecurityorprivacyoftheunsecuredPHIand
thatisnotexcludedfromthedefinitionofreachsetforthintheapplicableregulations.
11
THE FOUR-FACTOR RISK ASSESSMENT
IfitisdeterminedthattheinformationinvolvedinabreachisunsecuredPHIandnoapplicableexceptionsapply,
thenthelawfirmmustconductariskassessmenttodeterminewhetherthereis“alowprobabilitythatthePHIhas
beencompromised.”TheFinalRuleprovidesfourfactorstobeconsideredtodeterminewhetherthePHIhasbeen
compromised:
» The nature and extent of the PHI involved, including the types of identifiers and the likelihood of
re-identification. For example, risk increases when sensitive financial information, such as credit card
numbers or social security numbers are involved, or if the potential breach involves sensitive medical
information.
» The identity of the unauthorized person who used the PHI or to whom the disclosure was made. If the
recipient is another covered entity, business associate, or covered under other privacy laws, the risk
is decreased.
» Whether the PHI was actually acquired or viewed. For example, if a laptop is lost or stolen but later
recovered, and a forensic analysis shows that the PHI was never accessed, the risk is lessened.
» The extent to which the risk to the PHI has been mitigated. For example, the covered entity may mitigate
risk by having the recipient sign a confidentiality agreement that the PHI will be destroyed or will not
be further used or disclosed.
ThelawfirmmustevaluatetheoverallprobabilitythatthePHIhasbeencompromisedbyconsideringeachone
ofthesefourfactors,andotherfactorsasdeemedappropriate.HHSemphasizessuchriskassessmentsmustbe
thoroughandcompletedingoodfaith,andtheconclusionsreachedmustbereasonable.Ifanevaluationofthese
factorsfailstodemonstratethatthereisalowprobabilitythatthePHIhasbeencompromised,thelawfirmis
requiredtonotifytheclient/coveredentity,whichinturnmayberequiredtonotifytheaffectedindividuals
and/orOCR.
Tosummarize,lawfirmbusinessassociatesarenowsubjecttodirectregulationandenforcementoftheBreach
NotificationRule,andshouldtakeheedoftheirregulatoryobligationsforinvestigatingandreportingofbreaches
ofunsecuredPHI.Asabusinessassociate,lawfirmswillhavetheburdenofprooftodemonstratethattheyhave
providedtheclient/coveredentitywithrequirednotifications,orthattheimpermissibleuseordisclosuredidnot
constituteareportablebreach.Lawfirmsmust,therefore,maintaindocumentationasnecessarytomeetthis
burdenofproof.
12
SECTION VII: DATA PROTECTION AND PRIVACY PROGRAM
Breachesanddatalossincidentshavebecomeafactoflifeforfirmsofeverysize.Nooneisimmunefromtheloss
ofsensitiveandconfidentialdata.Asbusinessesamasslargerquantitiesofdiversifieddataonarangeofdevices,
includingconsumerinformation,employeerecords,businesspartnerandproprietarydata,everyonemustbe
preparedfortheinevitableloss.Thealarminggrowthindataincidentsandcybercrimehighlightsthechallenges
thatallbusinessleadersface.
Whilemanyfirmsmaybeawareofthethreat,theyarenotnecessarilyequippedtorespondeffectively,ormistakenly
thinkitwillnothappentothem.Compoundingthismisguidedsenseofsecurityisthemindsetthatcybersecurity
isanITissue.Viewingbreachesasatechnicalissueisarecipeforfailureversusrecognizingthateverydepartment
withinanorganizationneedstoplayaroleinreadinessplanning.Firmsmustacknowledgetheenterprise-wide
disruptionthatcanoccurwhenadatabreachisdiscovered.Thosethatprepareinadvancewillnotonlybein
positiontosurvivethedatabreach,butretaintheirgoodreputationintheeyesoftheirclients,partners,and
employees.Implementationofaneffectivedataprotectionandprivacyprogramisaninherentstepinaddressing
theseimportantissues.
DATA LIFECYCLE MANAGEMENT & STEWARDSHIP
Thelegalindustryadvocatesfortheneedtocreateadatalifecyclestrategyandincidentresponseplan,evaluating
datafromacquisitionthroughuse,storage,anddestruction.Akeytosuccessfuldatalifecyclemanagement
isbalancingregulatoryrequirementswithbusinessneedsandclientexpectations.
DATA GOVERNANCE AND LOSS PREVENTION
Alawfirm’sresponsibilityfordatagovernanceisdynamicandinaconstantstateofmodification.Policyand
proceduredevelopmentalongwithestablishingrolesandresponsibilitiesisakeycomponentofthegovernance
dependency.Thelevelofresponsibilityvariesnotonlybetweencountriesbutalsobetweenstates.
INCIDENT RESPONSE PLANNING
Lawfirmsmustbepreparedtoreactonseveralfrontswhenconfrontedwithadatalossincidentorbreach.
Tobeprepared,itiscriticaltohaveanorchestratedresponseplanwithrelationshipswithkeyvendorsandlaw
enforcementinplace.Awell-documentedprojectplanisonlyasgoodasthetrainingandreadinessofthe
incidentteam.Incidentresponseplanningshouldinclude:
» Creation of an incident response team (please see Illustration 1 below)
» Creation of a project plan
» Determination of incident notification requirements
» Creation of appropriate responses
» Providing assistance & possible remedies
13
INCIDENT RESPONSE TEAM
LAW ENFORCEMENT
OUTSIDE LEGAL
FORENSICS
EXECUTIVETEAM
HUMANRESOURCES
CARDASSOCIATIONS
INFORMATION TECHNOLOGYSECURITY
RISKMANAGEMENTCOMPLIANCE
PUBLICRELATIONS
Firm GeneralCounsel
TRAINING, TESTING AND BUDGET
Adataprotectionandprivacyplanwillultimatelyfailtobeexecutediftheattorneysandemployeeschargedwith
itsadministrationarenotadequatelytrained.Lawfirmsmusthavetheforesighttoallocatestafftimeandbudgetfor
thepropertrainingandexecutionoftheirdataprotectionplan.Inorderforaprogramtobesuccessful,itiscritical
thattheplanbereviewedbykeystakeholders,befullytested,andupdatedregularly(considerquarterly)toaddress
changesinthecompanyorinthethreatlandscape.
Factorstoconsiderinthisareainclude:
» Employee awareness and readiness training
» Analysis of the legal implications
» Funding and budgeting
» Critique and after action analysis
Dataprotectionandprivacyalongwithafirm’spreparednessforadatalossincidentaresignificantissuesevery
stakeholdermustrecognize.Thisriskhasbeenelevatedbyseveralfactorsincludingtheregularcollectionofvast
amountsofdigitalinformationandtheincreasinglevelsofcybercrime,geo-locationapplications,andonlinemalice.
Combinedwiththeexplosivegrowthofbigdata,mobiledevices,andincreasedrelianceofcloudserviceproviders,
itisvitalthatfirmleadersfocusondatastewardshipasakeyfirmpriorityandresponsibility.Failuretodosoputs
clientsandthefirminharm’swayunnecessarily,addingtotheregulatoryandlegalrisk.
ILLUSTRATION 1
14
SECTION VIII: RECOMMENDED BEST PRACTICES
Developing,implementing,andmaintainingasatisfactoryHIPAAcomplianceprograminalawfirmenvironment
isadauntingtaskforallinformationgovernanceprofessionals.Itisimportantthatfirmsadheretobestpractices
andapproachcompliancegradually,makingheadwaywhenpossibletoavoidthepenaltiesassociatedwith“willful
neglect”whiledocumentingalong-termcomplianceplanthattestifiestoconsciousandconcertedeffort.
InaccordancewiththeprecedingoverviewoftheHIPAAOmnibusrequirements,werecommendthefollowing
bestpractices:
» Assign a designated HIPAA security officer and, if applicable, privacy officer responsible for the firm’s
HIPAA compliance program. If identified as necessary, seek external assistance to help develop, implement,
and monitor the firm’s HIPAA compliance efforts.
» Inventory all existing business associate agreements with client covered entities and business associates.
Modify agreements as required to accommodate the revised requirements of the Omnibus Rule before
September 22, 2014.
» Develop and implement a centralized process for drafting, reviewing, and executing new business associate
agreements going forward. Execute business associate agreements where required with downstream HIPAA
subcontractors.
» Perform the risk assessment required by the HIPAA Security Rule to identify areas that require remediation
to achieve compliance.
» In conjunction with the implementation of, and compliance with good data asset protection policies,
firm-wide training, and auditing procedures, the firm should inventory systems where PHI is created,
maintained, stored or transmitted. This can be achieved by using tools like data loss prevention (DLP)
software and predictive coding/classification technologies.
» Identify information that contains PHI by executing a manual keyword search and classification of
unstructured content performed by relevant custodians i.e., attorneys and staff. Further, designate PHI
content in its profile properties form within structured environments like a document management system.
This can be as simple as adding a metadata field called “PHI.” Begin with active matters to make short-term
progress and proceed to information maintained on behalf of former clients.
» Designate a repository to maintain PHI and implement appropriate technologies to secure, monitor, and
encrypt PHI handled by the firm in accordance with access control standards and requirements. Mandatory
encryption of PHI should be standard operating procedure whenever it is stored outside of a protective
perimeter (or firewall), and during transmission/transport through unsecured channels (portable media).
» Develop, implement, and document the firm’s approach to handling PHI in accordance with the minimum
necessary standard of the Privacy Rule going forward. Modify and document new business intake procedures
and processes to include mandatory engagement letters that stipulate the firm’s requirements for requesting
and receiving PHI from clients. Include questions on intake forms to identify and flag HIPAA-related matters
so appropriate security measures can be applied.
15
» Educate affected lawyers and staff about the HIPAA requirements; their responsibilities for identifying and
securing client PHI, their responsibilities for identifying potential business associate relationships with
expert witnesses and other downstream contractors, and the firm’s finalized protocol for securing PHI in
its environment.
» Develop and implement policies and procedures that operationalize the HIPAA-related requirements
for determining whether a reportable breach of unsecured PHI has occurred. These written policies and
procedures should account for non-HIPAA mandated requirements that may govern the same incident, such
as applicable U.S. state data breach notification laws, business associate agreements with clients, and ethical
and contractual obligations.
» Develop procedures to identify business associate agreements between the law firm and the client/covered
entity that require the firm to report security incidents more quickly than is required by HIPAA itself, and
may even require that the firm report suspected breaches of unsecured PHI to the client/covered entity.
16
REFERENCES
1. 45 CFR Parts 160, 162, 164; U.S. Department of Health and Human Services Office for Civil Rights HIPAA
Administrative Simplification
2. U.S. Department of Health & Human Services
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
3. Protected Health Information (PHI), pg. 10, February 2014, Redspin
4. IHS, Federal Health Program for American Indians and Alaska Natives. and put in this url
http://www.ihs.gov/hipaa/documents/ihs_hipaa_security_checklist.pdf
AUTHORITIES
HIPAA Minimum Necessary Standard Should be Key Component of Policies and Procedures, Now More than Ever;
Duane Morris, February 2013, Hart, Elinor and Clark, Lisa.
http://www.duanemorris.com/alerts/HIPAA_minimum_necessary_standard_should_be_key_component_policies_
and_procedures_4743.html
A Comprehensive Summary of the Final Omnibus HIPAA/HITECH Rules: Key Provisions and What They Mean
for You; Poyner Spruill, 2013, Johnson, Elizabeth.
http://www.poynerspruill.com/publications/Pages/summaryofNewHIPAARules.aspx
New Omnibus Rule Released: HIPAA Puts on More Weight; Davis Wreight Tremaine, January 2013, Williams,
Rebecca, Greene, Adam, Barash, Louisa, Eckels, Jane, Rauzi, Edwin, Thurber, Kent, and Blanchette, Kristen.
http://www.dwt.com/new-omnibus-rule-released-hipaa-puts-on-more-weight-01-23-2013/
18
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Administrative Safeguards
164.308(a)(1)(i)
SecurityManagementProcess:Implementpoliciesand
procedurestoprevent,detect,contain,andcorrect
securityviolations.
164.308(a)(1)(ii)(A)HasaRiskAnalysisbeencompletedinaccordancewith
IAWNISTGuidelines?(R)
164.308(a)(1)(ii)(B)HastheRiskManagementprocessbeencompletedin
accordancewithIAWNISTGuidelines?(R)
164.308(a)(1)(ii)(C)
Doyouhaveformalsanctionsagainstemployeeswho
failtocomplywithsecuritypoliciesandprocedures?
(R)
164.308(a)(1)(ii)(D)
Haveyouimplementedprocedurestoregularlyreview
recordsofISactivitysuchasauditlogs,accessreports,
andsecurityincidenttracking?(R)
164.308(a)(2)
AssignedSecurityResponsibility:Identifythesecurity
officialwhoisresponsibleforthedevelopmentand
implementationofthepoliciesandproceduresrequired
bythissubpartfortheentity.
164.308(a)(3)(i)
WorkforceSecurity:Implementpoliciesandprocedures
toensurethatallmembersofitsworkforcehave
appropriateaccesstoePHI,asprovidedunder
paragraph(a)(4)ofthissection,andtopreventthose
workforcememberswhodonothaveaccessunder
paragraph(a)(4)ofthissectionfromobtainingaccess
toelectronicprotectedhealthinformation(ePHI).
164.308(a)(3)(ii)(A)
Haveyouimplementedproceduresforthe
authorizationand/orsupervisionofemployeeswho
workwithePHIorinlocationswhereitmightbe
accessed?(A)
164.308(a)(3)(ii)(B)Haveyouimplementedprocedurestodeterminethat
theAccessofanemployeetoePHIisappropriate?(A)
APPENDIX
HIPAA OMNIBUS SECURITY RULE COMPLIANCE CHECKLIST
TheTaskForcefoundthebelowtablecreatedbytheIndianHealthService(IHS)4,theFederalHealthProgramfor
AmericanIndiansandAlaskaNatives,tobeanexcellentsummaryofthetheaddressableandrequiredactionsto
complywiththeNISTstandardfortheHIPAAOmnibusSecurityRule.
19
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Administrative Safeguards
164.308(a)(3)(ii)(C)
Haveyouimplementedproceduresforterminating
accesstoePHIwhenanemployeeleavesyour
organizationorasrequiredbyparagraph(a)(3)(ii)(B)
ofthissection?(A)
164.308(a)(4)(i)
InformationAccessManagement:Implementpolicies
andproceduresforauthorizingaccesstoePHIthatare
consistentwiththeapplicablerequirementsofsubpart
Eofthispart.
164.308(a)(4)(ii)(A)
Ifyouareaclearinghousethatispartofalarger
organization,haveyouimplementedpolicies
andprocedurestoprotectePHIfromthelarger
organization?(A)
164.308(a)(4)(ii)(B)
Haveyouimplementedpoliciesandproceduresfor
grantingaccesstoePHI,forexample,throughaccessto
aworkstation,transaction,program,orprocess?(A)
164.308(a)(4)(ii)(C)
Haveyouimplementedpoliciesandproceduresthat
arebaseduponyouraccessauthorizationpolicies,
established,document,review,andmodifyauser’s
rightofaccesstoaworkstation,transaction,program,
orprocess?(A)
164.308(a)(5)(i)
SecurityAwarenessandTraining:Implementasecurity
awarenessandtrainingprogramforallmembersofits
workforce(includingmanagement).
164.308(a)(5)(ii)(A)Doyouprovideperiodicinformationsecurity
reminders?(A)
164.308(a)(5)(ii)(B)
Doyouhavepoliciesandproceduresforguarding
against,detecting,andreportingmalicioussoftware?
(A)
164.308(a)(5)(ii)(C)Doyouhaveproceduresformonitoringloginattempts
andreportingdiscrepancies?(A)
164.308(a)(5)(ii)(D)Doyouhaveproceduresforcreating,changing,and
safeguardingpasswords?(A)
164.308(a)(6)(i)SecurityIncidentProcedures:Implementpoliciesand
procedurestoaddresssecurityincidents.
164.308(a)(6)(ii)
Doyouhaveprocedurestoidentifyandrespondto
suspectedorknowsecurityincidents;mitigatetothe
extentpracticable,harmfuleffectsofknownsecurity
incidents;anddocumentincidentsandtheiroutcomes?
(R)
20
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Administrative Safeguards
164.308(a)(7)(i)
ContingencyPlan:Establish(andimplementas
needed)policiesandproceduresforrespondingto
anemergencyorotheroccurrence(forexample,fire,
vandalism,systemfailure,andnaturaldisaster)that
damagessystemsthatcontainePHI.
164.308(a)(7)(ii)(A)
Haveyouestablishedandimplementedproceduresto
createandmaintainretrievableexactcopiesofePHI?
(R)
164.308(a)(7)(ii)(B)
Haveyouestablished(andimplementedasneeded)
procedurestorestoreanylossofePHIdatathatis
storedelectronically?(R)
164.308(a)(7)(ii)(C)
Haveyouestablished(andimplementedasneeded)
procedurestoenablecontinuationofcriticalbusiness
processesandforprotectionofePHIwhileoperatingin
theemergencymode?(R)
164.308(a)(7)(ii)(E)
Haveyouassessedtherelativecriticalityofspecific
applicationsanddatainsupportofothercontingency
plancomponents?(A)
164.308(a)(8)
Haveyouestablishedaplanforperiodictechnical
andnon-technicalevaluation,basedinitiallyupon
thestandardsimplementedunderthisruleand
subsequently,inresponsetoenvironmentalor
operationalchangesaffectingthesecurityofePHI
thatestablishestheextenttowhichanentity’ssecurity
policiesandproceduresmeettherequirementsofthis
subpart?(R)
164.308(b)(1)
BusinessAssociateContractsandOtherArrangements:
Acoveredentity,inaccordancewithSec.164.306,may
permitabusinessassociatetocreate,receive,maintain,
ortransmitePHIonthecoveredentity’sbehalfonly
ofthecoveredentityobtainssatisfactoryassurances,
inaccordancewithSec.164.314(a)thatthebusiness
associateappropriatelysafeguardtheinformation.
164.308(b)(4)
Haveyouestablishedwrittencontractsorother
arrangementswithyourtradingpartnersthat
documentssatisfactoryassurancesrequiredby
paragraph(b)(1)ofthissectionthatmeetsthe
applicablerequirementsofSec.164.314(a)?(R)
21
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Physical Safeguards
164.310(a)(1)
FacilityAccessControls:Implementpoliciesand
procedurestolimitphysicalaccesstoitselectronic
informationsystemsandthefacilityorfacilitiesin
whichtheyarehoused,whileensuringthatproperly
authorizedaccessisallowed.
164.310(a)(2)(i)
Haveyouestablished(andimplementedasneeded)
proceduresthatallowfacilityaccessinsupportof
restorationoflostdataunderthedisasterrecovery
planandemergencymodeoperationsplanintheevent
ofanemergency?(A)
164.310(a)(2)(ii)
Haveyouimplementedpoliciesandproceduresto
safeguardthefacilityandtheequipmentthereinfrom
unauthorizedphysicalaccess,tampering,andtheft?
(A)
164.310(a)(2)(iii)
Haveyouimplementedprocedurestocontroland
validateaperson’saccesstofacilitiesbasedontheir
roleorfunction,includingvisitorcontrol,andcontrolof
accesstosoftwareprogramsfortestingandrevision?
(A)
164.310(a)(2)(iv)
Haveyouimplementedpoliciesandproceduresto
documentrepairsandmodificationstothephysical
componentsofafacility,whicharerelatedtosecurity
(forexample,hardware,walls,doors,andlocks)?(A)
164.310(b)
Haveyouimplementedpoliciesandproceduresthat
specifytheproperfunctionstobeperformed,the
mannerinwhichthosefunctionsaretobeperformed,
andthephysicalattributesofthesurroundingsofa
specificworkstationorclassofworkstationthatcan
accessePHI?(R)
164.310(c)
Haveyouimplementedphysicalsafeguardsforall
workstationsthataccessePHItorestrictaccessto
authorizedusers?(R)
164.310(d)(1)
DeviceandMediaControls:Implementpoliciesand
proceduresthatgovernthereceiptandremovalof
hardwareandelectronicmediathatcontainePHIinto
andoutofafacility,andthemovementoftheseitems
withinthefacility.
164.310(d)(2)(i)
Haveyouimplementedpoliciesandproceduresto
addressfinaldispositionofePHI,and/orhardwareor
electronicmediaonwhichitisstored?(R)
22
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Physical Safeguards
164.310(d)(2)(ii)
HaveyouimplementedproceduresforremovalofePHI
fromelectronicmediabeforethemediaareavailable
forreuse?(R)
164.310(d)(2)(iii)
Doyoumaintainarecordofthemovementsof
hardwareandelectronicmediaandtheperson
responsibleforitsmovement?(A)
164.310(d)(2)(iv)Doyoucreatearetrievable,exactcopyofePHI,when
needed,beforemovementofequipment?(A)
Technical Safeguards
164.312(a)(1)
AccessControls:Implementtechnicalpoliciesand
proceduresforelectronicinformationsystemsthat
maintainePHItoallowaccessonlytothosepersons
orsoftwareprogramsthathavebeengrantedaccess
rightsasspecifiedinSec.164.308(a)(4).
164.312(a)(2)(i)Haveyouassignedauniquenameand/ornumberfor
identifyingandtrackinguseridentity?(R)
164.312(a)(2)(ii)
Haveyouestablished(andimplementedasneeded)
proceduresforobtainingnecessaryePHIduringand
emergency?(R)
164.312(a)(2)(iii)
Haveyouimplementedproceduresthatterminate
anelectronicsessionafterapredeterminedtimeof
inactivity?(A)
164.312(a)(2)(iv)Haveyouimplementedamechanismtoencryptand
decryptePHI?(A)
164.312(b)
HaveyouimplementedAuditControls,hardware,
software,and/orproceduralmechanismsthatrecord
andexamineactivityininformationsystemsthat
containoruseePHI?(R)
164.312(c)(1)Integrity:Implementpoliciesandprocedurestoprotect
ePHIfromimproperalterationordestruction.
164.312(c)(2)
Haveyouimplementedelectronicmechanisms
tocorroboratethatePHIhasnotbeenalteredor
destroyedinanunauthorizedmanner?(A)
164.312(d)
HaveyouimplementedPersonorEntityAuthentication
procedurestoverifythatapersonorentityseeking
accessePHIistheoneclaimed?(R)
23
HIPAA SECURITY RULE
REFERENCE
SAFEGUARD
(R) = REQUIRED, (A) = ADDRESSABLE
STATUS COMPLETE,
N/A
Technical Safeguards
164.312(e)(1)
TransmissionSecurity:Implementtechnicalsecurity
measurestoguardagainstunauthorizedaccessto
ePHIthatisbeingtransmittedoveranelectronic
communicationsnetwork.
164.312(e)(2)(i)
Haveyouimplementedsecuritymeasurestoensure
thatelectronicallytransmittedePHIisnotimproperly
modifiedwithoutdetectionuntildisposal?(A)
164.312(e)(2)(ii)HaveyouimplementedamechanismtoencryptePHI
wheneverdeemedappropriate?(A)
US-LAW-EXT-BR-082014-014
ABOUT IRON MOUNTAINIronMountainIncorporated(NYSE:IRM)providesinformationmanagementservicesthathelporganizationslowerthecosts,risksandinefficienciesofmanagingtheirphysicalanddigitaldata.Foundedin1951,IronMountainmanagesbillionsofinformationassets,includingbackupandarchivaldata,electronicrecords,documentimaging,businessrecords,secureshredding,andmore,fororganizationsaroundtheworld.Visitthecompanywebsiteatwww.ironmountain.comformoreinformation.
©2014IronMountainIncorporated.Allrightsreserved.IronMountainandthedesignofthemountainareregisteredtrademarksofIronMountainIncorporatedintheU.S.andothercountries.Allothertrademarksarethepropertyoftheirrespectiveowners.